Abstract image of a woman sitting on books and studying on a laptop

Be Social. Use CrowdRE.

Download as PDF, PPTX
CrowdStrike, profile picture
CrowdStrike

CrowdRE is an IDA Pro plugin that enables collaborative reverse engineering by allowing analysts to share and synchronize analysis results for malware samples. It uses a version control-like system to manage annotations on functions and types, and features fuzzy matching to import relevant annotations from other analysts who have worked on similar code. The tool aims to improve efficiency of malware analysis by facilitating distributed and collaborative work between reverse engineers.

1 of 19
Download as PDF, PPTX
Be Social. Use CrowdRE. An IDA Plugin for Collaborative Reversing Tillmann Werner, Jason Geffner RECON, Montreal, Canada Friday, June 15, 2012
CrowdStrike ■ Stealth mode startup ■ Handpicked ‘A’ team of technical talent ■ 26 Million Series A funding ■ “You don’t have a malware problem, you have an adversary problem”™ ■ We are hiring!
Special Thanks Georg Wicherski Aaron Putnam TJ Little and Harley Jeff Stambolsky Sr. Research Scientist Sr. Research Engineer Sr. UI Engineers Resident Nerd
Why ? ■ Developers work in teams to build the software we are reversing ■ Stuxnet, Flame, Duqu ■ RATs like PoisonIvy ■ Bots like Zeus ■ calc.exe ■ Code reuse is prevalent in malware variants ■ Working together, we can reverse more quickly and efficiently ■ Take a page from developer world and model RE after source control methodologies
Collaborative Reversing ■ Approach 1: Just-in-time propagation of results ■ All changes are synchronized to all users instantly ■ Well-suited for teaching reverse-engineering, demonstrations, etc. ■ Approach 2: Working on different parts, sharing results on demand ■ Distributed tasks ■ Multiple people can work on different parts simultaneously ■ Analysis results can be combined at any time
Related Work – Tools of the Trade ■ IDA Sync, 2005 ■ Real-time synchronization of names, stack variables, comments ■ Hooks into IDA hot keys ■ CollabREate, 2008 ■ Successor of IDA Sync: IDA Pro “remote-control” ■ Snapshot report: replay all updates up until a certain point ■ BinCrowd, 2010 ■ Commit-based model ■ Supports matching similar functions
The Platform ■ Community platform to support professional, distributed RE ■ Design similar to version control systems ■ Commits: annotations per function ■ Free Cloud service for the reverse engineering community ■ People can share their results ■ Reverse engineering projects can benefit from community input ■ IDA Pro plugin ■ Utilizes the power of the Hex-Rays Decompiler plugin ■ Integrates smoothly into IDA’s Qt GUI
Rewoltke  CrowdRE + = rewoltke ...
BinNavi Integration ■ Google is adding integration for CrowdRE to BinNavi ■ Analysts will be able to use BinNavi to share their analysis results with the CrowdRE community ■ Our best wishes go to Thomas Dullien for a speedy recovery
Annotations ■ Function prototype ■ Name ■ Calling convention ■ Return type ■ Parameter types and names ■ Stack variables ■ Register variables (Hex-Rays) ■ Structs, enums ■ Comments – IDA and Hex-Rays
Type Information ■ Types ■ Structs ■ Enums ■ User-defined types ■ Function annotations depend on types ■ Dependencies are recursively included ■ Checkouts contain dependencies, too ■ Name duplicates require conflict resolution ■ User is prompted for solution (update, retain, keep) ■ Future plan: resolving cyclic dependencies
Importing Annotations ■ Batch import ■ The first thing to do when starting to work on a new binary ■ Always the most recent commit ■ Individual imports ■ More control over what to import ■ User can choose between different versions
Finding Functions ■ Exact matching ■ Binary’s hash + function offset ■ Fuzzy matching ■ SHA1 hash over sequence of mnemonics ■ Position-independent representation ■ Want to cover immediates, too ■ Jump and call operands are zeroed out ■ Same for immediates that generate cross-references
Dealing with Multiple Matches FNV Hashes • Fast to compute ■ Multiple matches – which is the best? • Good Avalanche behavior ■ Quality of the annotation • For different word sizes ■ Code similarity ■ Compute similarity value for pairs of inputs hash := FNV_BASIS ■ Rank by this value, let the user choose for byte in input: hash ^= byte hash *= FNV_PRIME ■ Similarity hashing ■ Assign consecutive basic blocks to chunks ■ Fixed number of chunks ensures constant sized output ■ For each chunk: compute FNV hash ■ Combine FNV hashes to final hash ■ s(a, b) = 100 – normalized_levenshtein(simhash(a), simhash(b))
Similarity Hashing – Details ■ Basic block reordering poses challenges ■ Define an order on the set of basic blocks ■ Come up with a reordering resilient scheme BB1 BB2 BB3 BB4 ■ Fuzzy hash serves as pre-filter ■ Matches are usually 100% equal ■ Make fuzzy hash more fuzzy fnv1 fnv2 ■ Position-independent representation quite strict ■ Need to take instruction reordering into account ■ Improved algorithms in future versions
Demo Time!
Future Plans ■ Integration with other RE tools? ■ Cloud service ■ Social ratings of commits ■ Access control lists ■ Client ■ Real time notifications on updated annotations ■ New and improved matching algorithms ■ Ability to deal with cyclic type dependencies ■ Tracking of function/file mappings ■ Mass importing of common library code
Where to get it: http://crowd.re
Be Social. Use CrowdRE.

More Related Content

PDF
SIEM Architecture
Nishanth Kumar Pathi
 
PDF
PCF-VxRail-ReferenceArchiteture
Vuong Pham
 
PPTX
Microsoft Defender for Endpoint
Cheah Eng Soon
 
PDF
Azure Penetration Testing
Cheah Eng Soon
 
PPTX
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
PDF
Azure Purview Data Toboggan Erwin de Kreuk
Erwin de Kreuk
 
PPTX
Power of the cloud - Introduction to azure security
Bruno Capuano
 
PPTX
Azure Sentinel.pptx
Mohit Chhabra
 
SIEM Architecture
Nishanth Kumar Pathi
 
PCF-VxRail-ReferenceArchiteture
Vuong Pham
 
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Azure Penetration Testing
Cheah Eng Soon
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
Azure Purview Data Toboggan Erwin de Kreuk
Erwin de Kreuk
 
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Azure Sentinel.pptx
Mohit Chhabra
 

What's hot(20)

PDF
Splunk-Presentation
PrasadThorat23
 
PDF
Cloud Security: A New Perspective
Wen-Pai Lu
 
PPT
Data loss prevention (dlp)
Hussein Al-Sanabani
 
PPTX
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Nicholas Vossburg
 
PPTX
How to build a successful Data Lake
DataWorks Summit/Hadoop Summit
 
PPTX
Delta lake and the delta architecture
Adam Doyle
 
PDF
제조업의 AWS 기반 주요 워크로드 및 고객 사례:: 이현석::AWS Summit Seoul 2018
Amazon Web Services Korea
 
PDF
DataHub
Aditya Parameswaran
 
PPTX
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
PDF
Référentiels et Normes pour l'Audit de la Sécurité des SI
Alghajati
 
PPTX
DevOps + DataOps = Digital Transformation
Delphix
 
PDF
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
David J Rosenthal
 
PDF
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
PDF
SIEM and Threat Hunting
n|u - The Open Security Community
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
PDF
Oracle Cloud Reference Architecture
Bob Rhubart
 
PPTX
Soc
Mukesh Chaudhari
 
PDF
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
PPTX
Microsoft Threat Protection
Thierry DEMAN
 
PPTX
Cloudera - The Modern Platform for Analytics
Cloudera, Inc.
 
Splunk-Presentation
PrasadThorat23
 
Cloud Security: A New Perspective
Wen-Pai Lu
 
Data loss prevention (dlp)
Hussein Al-Sanabani
 
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Nicholas Vossburg
 
How to build a successful Data Lake
DataWorks Summit/Hadoop Summit
 
Delta lake and the delta architecture
Adam Doyle
 
제조업의 AWS 기반 주요 워크로드 및 고객 사례:: 이현석::AWS Summit Seoul 2018
Amazon Web Services Korea
 
DataHub
Aditya Parameswaran
 
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Référentiels et Normes pour l'Audit de la Sécurité des SI
Alghajati
 
DevOps + DataOps = Digital Transformation
Delphix
 
Microsoft Intune - Empowering Enterprise Mobility - Presented by Atidan
David J Rosenthal
 
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
SIEM and Threat Hunting
n|u - The Open Security Community
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
Oracle Cloud Reference Architecture
Bob Rhubart
 
Soc
Mukesh Chaudhari
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
Microsoft Threat Protection
Thierry DEMAN
 
Cloudera - The Modern Platform for Analytics
Cloudera, Inc.
 

Viewers also liked(20)

PDF
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
PDF
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
PDF
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
PDF
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
PDF
Battling Unknown Malware with Machine Learning
CrowdStrike
 
PDF
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
PDF
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
CrowdStrike
 
PDF
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
PDF
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
PDF
Venom
CrowdStrike
 
PDF
TOR... ALL THE THINGS
CrowdStrike
 
PDF
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
PDF
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
PDF
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
PPTX
BSides 2016 Presentation
Angelo Rago
 
PPTX
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
PPTX
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 
PDF
IDAの脆弱性とBug Bounty by 千田 雅明
CODE BLUE
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
Hacking Exposed Live: Mobile Targeted Threats
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
CrowdStrike
 
Venom
CrowdStrike
 
TOR... ALL THE THINGS
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
CrowdStrike
 
BSides 2016 Presentation
Angelo Rago
 
Hunting gh0st rat using memory forensics
Cysinfo Cyber Security Community
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
Tal Be'ery
 
IDAの脆弱性とBug Bounty by 千田 雅明
CODE BLUE
 

Similar to Be Social. Use CrowdRE.(20)

ODP
Vert.x keynote for EclipseCon 2013
timfox111
 
PPTX
haXe - One codebase to rule'em all
Tom Crombez
 
PDF
ShaREing Is Caring
sporst
 
PDF
Experiences with Microservices at Tuenti
Andrés Viedma Peláez
 
PPTX
Continuous delivery in practice (public)
Tzach Zohar
 
PDF
Deep Learning for Chatbot (3/4)
Jaemin Cho
 
PDF
hover.in at CUFP 2009
Bhasker Kode
 
ODP
Web-scale data processing: practical approaches for low-latency and batch
Edward Capriolo
 
PDF
Maximum Uptime Cluster Orchestration with Ansible
ScyllaDB
 
PDF
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
Edge AI and Vision Alliance
 
PDF
Surviving a Plane Crash, a NU.nl case-study
peter_ibuildings
 
PDF
Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習
Herman Wu
 
PDF
"The life beyond Terraform, or the rise of Platform Engineering", Stanislav ...
Fwdays
 
PDF
Foundational Design Patterns for Multi-Purpose Applications
Ching-Hwa Yu
 
PPTX
JAVA Module 1______________________.pptx
Radhika Venkatesh
 
PDF
Schema migration (DB migration) with Phinx
Hadi Ariawan
 
PPTX
N api - node interactive 2017
Michael Dawson
 
PDF
Building and deploying LLM applications with Apache Airflow
Kaxil Naik
 
PDF
GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families
Mohamed BOUSSAA
 
PDF
New Developments in H2O: April 2017 Edition
Sri Ambati
 
Vert.x keynote for EclipseCon 2013
timfox111
 
haXe - One codebase to rule'em all
Tom Crombez
 
ShaREing Is Caring
sporst
 
Experiences with Microservices at Tuenti
Andrés Viedma Peláez
 
Continuous delivery in practice (public)
Tzach Zohar
 
Deep Learning for Chatbot (3/4)
Jaemin Cho
 
hover.in at CUFP 2009
Bhasker Kode
 
Web-scale data processing: practical approaches for low-latency and batch
Edward Capriolo
 
Maximum Uptime Cluster Orchestration with Ansible
ScyllaDB
 
"Using the OpenCL C Kernel Language for Embedded Vision Processors," a Presen...
Edge AI and Vision Alliance
 
Surviving a Plane Crash, a NU.nl case-study
peter_ibuildings
 
Azure 機器學習 - 使用Python, R, Spark, CNTK 深度學習
Herman Wu
 
"The life beyond Terraform, or the rise of Platform Engineering", Stanislav ...
Fwdays
 
Foundational Design Patterns for Multi-Purpose Applications
Ching-Hwa Yu
 
JAVA Module 1______________________.pptx
Radhika Venkatesh
 
Schema migration (DB migration) with Phinx
Hadi Ariawan
 
N api - node interactive 2017
Michael Dawson
 
Building and deploying LLM applications with Apache Airflow
Kaxil Naik
 
GPCE16 Poster: Automatic Non-functional Testing of Code Generators Families
Mohamed BOUSSAA
 
New Developments in H2O: April 2017 Edition
Sri Ambati
 

More from CrowdStrike(8)

PDF
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
PDF
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
PDF
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
PDF
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
PDF
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
PDF
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
PDF
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 
State of Endpoint Security: The Buyers Mindset
CrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
CrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
TOR... ALL THE THINGS Whitepaper
CrowdStrike
 

Recently uploaded(20)

PDF
Optimizing long short-term memory hyperparameter for cryptocurrency sentiment...
IAESIJAI
 
PDF
Prediction of side effects of drug resistant tuberculosis drugs using multi-l...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – September ’25 Week I
NewMind AI
 
PDF
Kickstart your DevOps path with core skills
Omar Fathy
 
PDF
September Patch Tuesday
Ivanti
 
PDF
Master the New ArcGIS Connector: Streamlined Data Management & Robust Metadata
Safe Software
 
PPTX
presntation of more HTl for biomass.pptx
milibangml
 
PPTX
Risk - GRC - Kick-Off Presentation - San Diego (1).pptx
olivolikleber
 
PDF
An automatic social engagement measurement during human robot interaction
IAESIJAI
 
PDF
SUPPLY CHAIN MANAGEMENT IN INDIAN AUTOMOTIVE INDUSTRY : COMPLEXITIES, CHALLEN...
ijmvsc
 
PPTX
Microsoft Azure News - Sepr 2025 -- BAUG
Daniel Toomey
 
PDF
Mastering ChatGPT Prompts for Faster, Smarter Output
diyavivid
 
PPTX
MINI PROJECT REPORT ON BOOK STORE WEBSITE
bipinchaudhary9548
 
PDF
“Introduction to Enhancing Data Quality for AI Success,” a Presentation from ...
Edge AI and Vision Alliance
 
PDF
How to Transform Manufacturing with IIoT: A Step-by-Step Implementation Guide
Rejig Digital
 
PDF
Upskill to Agentic Automation: Orchestration with UiPath Maestro™
DianaGray10
 
PDF
introductiontoartificialintelligencevsuresh-250909094214-772bcc0e.pdf
multiplecategories
 
PDF
302.AI vs. Azure OpenAI: The Pragmatic Engineer's Guide to Choosing an AI Pla...
mushabahmedforbusine
 
PDF
A comprehensive review of interpretable machine learning techniques for phish...
IAESIJAI
 
PDF
Investigation on low-performance tuned-regressor of inhibitory concentration ...
IAESIJAI
 
Optimizing long short-term memory hyperparameter for cryptocurrency sentiment...
IAESIJAI
 
Prediction of side effects of drug resistant tuberculosis drugs using multi-l...
IAESIJAI
 
NewMind AI Weekly Chronicles – September ’25 Week I
NewMind AI
 
Kickstart your DevOps path with core skills
Omar Fathy
 
September Patch Tuesday
Ivanti
 
Master the New ArcGIS Connector: Streamlined Data Management & Robust Metadata
Safe Software
 
presntation of more HTl for biomass.pptx
milibangml
 
Risk - GRC - Kick-Off Presentation - San Diego (1).pptx
olivolikleber
 
An automatic social engagement measurement during human robot interaction
IAESIJAI
 
SUPPLY CHAIN MANAGEMENT IN INDIAN AUTOMOTIVE INDUSTRY : COMPLEXITIES, CHALLEN...
ijmvsc
 
Microsoft Azure News - Sepr 2025 -- BAUG
Daniel Toomey
 
Mastering ChatGPT Prompts for Faster, Smarter Output
diyavivid
 
MINI PROJECT REPORT ON BOOK STORE WEBSITE
bipinchaudhary9548
 
“Introduction to Enhancing Data Quality for AI Success,” a Presentation from ...
Edge AI and Vision Alliance
 
How to Transform Manufacturing with IIoT: A Step-by-Step Implementation Guide
Rejig Digital
 
Upskill to Agentic Automation: Orchestration with UiPath Maestro™
DianaGray10
 
introductiontoartificialintelligencevsuresh-250909094214-772bcc0e.pdf
multiplecategories
 
302.AI vs. Azure OpenAI: The Pragmatic Engineer's Guide to Choosing an AI Pla...
mushabahmedforbusine
 
A comprehensive review of interpretable machine learning techniques for phish...
IAESIJAI
 
Investigation on low-performance tuned-regressor of inhibitory concentration ...
IAESIJAI
 
In this document
Powered by AI

CrowdRE is introduced as an IDA plugin for collaborative reversing by developers Tillmann Werner and Jason Geffner, showcasing a strong team and financial backing.

Explores collaborative reversing methods in malware analysis, highlighting the need for teamwork and code reuse to enhance efficiency in analysis.

Discusses previous tools like IDA Sync and introduces a community platform for professional reverse engineering with annotation sharing and integration with Hex-Rays.

Describes the integration of CrowdRE in BinNavi and outlines essential annotations for functions, emphasizing community contributions and detailed analysis.

Focuses on handling type definitions, annotations, and dependency resolution in CrowdRE, including methods for importing and finding functions.

Explains strategies for managing multiple function matches and the importance of similarity hashing and basic block reordering in improving analysis accuracy.

Concludes with live demo expectations and future enhancements including tool integration, cloud services, and upgraded algorithms.

Be Social. Use CrowdRE.

  • 1.
    Be Social. UseCrowdRE. An IDA Plugin for Collaborative Reversing Tillmann Werner, Jason Geffner RECON, Montreal, Canada Friday, June 15, 2012
  • 2.
    CrowdStrike ■ Stealth modestartup ■ Handpicked ‘A’ team of technical talent ■ 26 Million Series A funding ■ “You don’t have a malware problem, you have an adversary problem”™ ■ We are hiring!
  • 3.
    Special Thanks Georg Wicherski Aaron Putnam TJ Little and Harley Jeff Stambolsky Sr. Research Scientist Sr. Research Engineer Sr. UI Engineers Resident Nerd
  • 4.
    Why ? ■ Developers work in teams to build the software we are reversing ■ Stuxnet, Flame, Duqu ■ RATs like PoisonIvy ■ Bots like Zeus ■ calc.exe ■ Code reuse is prevalent in malware variants ■ Working together, we can reverse more quickly and efficiently ■ Take a page from developer world and model RE after source control methodologies
  • 5.
    Collaborative Reversing ■ Approach1: Just-in-time propagation of results ■ All changes are synchronized to all users instantly ■ Well-suited for teaching reverse-engineering, demonstrations, etc. ■ Approach 2: Working on different parts, sharing results on demand ■ Distributed tasks ■ Multiple people can work on different parts simultaneously ■ Analysis results can be combined at any time
  • 6.
    Related Work –Tools of the Trade ■ IDA Sync, 2005 ■ Real-time synchronization of names, stack variables, comments ■ Hooks into IDA hot keys ■ CollabREate, 2008 ■ Successor of IDA Sync: IDA Pro “remote-control” ■ Snapshot report: replay all updates up until a certain point ■ BinCrowd, 2010 ■ Commit-based model ■ Supports matching similar functions
  • 7.
    The Platform ■ Community platform to support professional, distributed RE ■ Design similar to version control systems ■ Commits: annotations per function ■ Free Cloud service for the reverse engineering community ■ People can share their results ■ Reverse engineering projects can benefit from community input ■ IDA Pro plugin ■ Utilizes the power of the Hex-Rays Decompiler plugin ■ Integrates smoothly into IDA’s Qt GUI
  • 8.
    Rewoltke  CrowdRE + = rewoltke ...
  • 9.
    BinNavi Integration ■ Googleis adding integration for CrowdRE to BinNavi ■ Analysts will be able to use BinNavi to share their analysis results with the CrowdRE community ■ Our best wishes go to Thomas Dullien for a speedy recovery
  • 10.
    Annotations ■ Function prototype ■ Name ■ Calling convention ■ Return type ■ Parameter types and names ■ Stack variables ■ Register variables (Hex-Rays) ■ Structs, enums ■ Comments – IDA and Hex-Rays
  • 11.
    Type Information ■ Types ■ Structs ■ Enums ■ User-defined types ■ Function annotations depend on types ■ Dependencies are recursively included ■ Checkouts contain dependencies, too ■ Name duplicates require conflict resolution ■ User is prompted for solution (update, retain, keep) ■ Future plan: resolving cyclic dependencies
  • 12.
    Importing Annotations ■ Batchimport ■ The first thing to do when starting to work on a new binary ■ Always the most recent commit ■ Individual imports ■ More control over what to import ■ User can choose between different versions
  • 13.
    Finding Functions ■ Exactmatching ■ Binary’s hash + function offset ■ Fuzzy matching ■ SHA1 hash over sequence of mnemonics ■ Position-independent representation ■ Want to cover immediates, too ■ Jump and call operands are zeroed out ■ Same for immediates that generate cross-references
  • 14.
    Dealing with MultipleMatches FNV Hashes • Fast to compute ■ Multiple matches – which is the best? • Good Avalanche behavior ■ Quality of the annotation • For different word sizes ■ Code similarity ■ Compute similarity value for pairs of inputs hash := FNV_BASIS ■ Rank by this value, let the user choose for byte in input: hash ^= byte hash *= FNV_PRIME ■ Similarity hashing ■ Assign consecutive basic blocks to chunks ■ Fixed number of chunks ensures constant sized output ■ For each chunk: compute FNV hash ■ Combine FNV hashes to final hash ■ s(a, b) = 100 – normalized_levenshtein(simhash(a), simhash(b))
  • 15.
    Similarity Hashing –Details ■ Basic block reordering poses challenges ■ Define an order on the set of basic blocks ■ Come up with a reordering resilient scheme BB1 BB2 BB3 BB4 ■ Fuzzy hash serves as pre-filter ■ Matches are usually 100% equal ■ Make fuzzy hash more fuzzy fnv1 fnv2 ■ Position-independent representation quite strict ■ Need to take instruction reordering into account ■ Improved algorithms in future versions
  • 16.
  • 17.
    Future Plans ■ Integrationwith other RE tools? ■ Cloud service ■ Social ratings of commits ■ Access control lists ■ Client ■ Real time notifications on updated annotations ■ New and improved matching algorithms ■ Ability to deal with cyclic type dependencies ■ Tracking of function/file mappings ■ Mass importing of common library code
  • 18.
    Where to getit: http://crowd.re